A computer network is a collection of interconnected computing devices that can exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets, which are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
The packets are communicated according to a communication protocol that defines the format of the packet. A typical packet, for example, includes a header carrying source and destination information, as well as a payload that carries the actual data. The de facto standard for communication in conventional packet-based networks, including the Internet, is the Internet Protocol (IP).
A system administrator or other user often makes use of a network analyzer to monitor network traffic. In general, a network analyzer is a tool that captures data from a network and presents the data to the user. The network analyzer typically allows the user to browse the captured data, and view summary and detail information for each packet. Accordingly, the user can view the network traffic flowing between devices on the network. Many conventional network analyzers, such as NetFlow, NeTraMet and FlowScan, use software applications to collect traffic flow information.
The analyzer typically monitors and collects packets having routing information that matches criteria specified by the system administrator. The system administrator may specify, for example, source and destination Internet Protocol (IP) addresses, source and destination port numbers, protocol type, type of service (ToS) and input interface information. The analyzer typically collects packets matching the specified criteria, and constructs flow analysis diagrams.
In some cases, a Law Enforcement Agency (LEA) may require the system administrator to mirror network traffic flowing to and from a designated network user. The original network traffic is routed across the network as usual while a mirrored version of the network traffic is forwarded for analysis. The term “lawful intercept” is used to describe the process by which LEAs conduct electronic surveillance of packet-based communications as authorized by a judicial or administrative order. Increasingly, legislation and regulations are being adopted that require public and private service providers to support authorized electronic surveillance. This increase is due in part to the increased use of computer networks for real-time voice communications using, for example, Voice over IP (VoIP).
Conventionally, lawful intercept of a network service, such as VoIP, has been enabled, managed, and monitored at a command line interface presented by a network device providing the network service. This technique may become difficult as the number of network services and respective devices increase. In addition, the system administrator may have difficulty predicting where a mobile network user will log in and access a particular service, thereby increasing the difficulty in enabling the lawful intercept. Moreover, conventional techniques for activating lawful intercept may not work well in environments where users login and logout frequently.
An additional challenge associated with the lawful interception of a network service is that the mirrored data packet streams resulting from the interception are often specific to the type of network in which the mirroring occurs. This makes it difficult to forward the mirrored streams to remote sites for analysis. As a result, it is often difficult to separate the interception point from the analysis point.